On Wed, 2005-04-20 at 12:38 +0530, Suresh Ramasubramanian wrote:
seen on a local linux mailing list -
It looks like some one broke into VSNL's name server and done some harm to open source websites I'm now using Airtel's (mantraonline) name server and able to browser the sites mentioned above any one have any idea whats happening ??? while nslookup to the VSNL's name server I'm getting 66.151.179.147 for all those sites. the list includes, gnomefiles.org gnome-look.org gforge.org mantisbt.org
suresh@frodo 12:23:32 [~]$ whois 66.151.179.147 Internap Network Services PNAP-06-2001 (NET-66-150-0-0-1) 66.150.0.0 - 66.151.255.255 Promosis Inc. PNAP-BSN-PROMO-RM-01 (NET-66-151-179-128-1) 66.151.179.128 - 66.151.179.191
The promosis.com site, however, is an all flash site that says they've developed promo campaigns for Bose, Oracle, art.com, Forbes etc. Looks legit ..
Any idea? Something that works when NS is changed couldnt be spyware on the guy's PC though he is a newbie to linux, and is surfing the net using firefox on a windows PC
I cleaned a few PCs that had a search toolbar installed on the browsers. (Both IE and Firefox) In addition to offering prominent sex links, other revenues seemed based upon guiding users into trying out a list of anti-stuff that actually made things worse. One trick, among many nasty tricks, was to heavily load the /windows/system/driver32/etc/hosts file to disable sites that may offer a remedy and to also block their updates. The search toolbar and the anti-stuff were provided by the same "accredited" company (although using different names). Even registry settings made it appear some software was loaded, but when the user attempted to uninstall this bogus software, it fired-up a link that took them back to anti-stuff site, using IE, which was not the default browser. I see the same type of service offered here, but by different names. -Doug